Honeywall
Páginas: 51 (12700 palabras)
Publicado: 29 de noviembre de 2012
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu
ABSTRACT
Botnets, networks of malware-infected machinesthat are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study itsoperations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique botinfections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets.
Categories and SubjectDescriptors
D.4.6 [Operating Systems]: Security and Protection—Invasive software
General Terms
Security
Keywords
Botnet, Malware, Measurement, Security, Torpig
1. INTRODUCTION
Malicious code (or malware) has become one of the most pressing security problems on the Internet. In particular, this is true for bots [5], a type of malware that is written with the intent of taking over alarge number of hosts on the Internet. Once infected
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or toredistribute to lists, requires prior specific permission and/or a fee. CCS’09, November 9–13, 2009, Chicago, Illinois, USA. Copyright 2009 ACM 978-1-60558-352-5/09/11 ...$10.00.
with a bot, the victim host will join a botnet, which is a network of compromised machines that are under the control of a malicious entity, typically referred to as the botmaster. Botnets are the primary means forcyber-criminals to carry out their nefarious tasks, such as sending spam mails [36], launching denial-of-service attacks [29], or stealing personal data such as mail accounts or bank credentials [16, 39]. This reflects the shift from an environment in which malware was developed for fun, to the current situation, where malware is spread for financial profit. Given the importance of the problem, significant researcheffort has been invested to gain a better understanding of the botnet phenomenon. One approach to study botnets is to perform passive analysis of secondary effects that are caused by the activity of compromised machines. For example, researchers have collected spam mails that were likely sent by bots [47]. Through this, they were able to make indirect observations about the sizes and activitiesof different spam botnets. Similar measurements focused on DNS queries [34, 35] or DNS blacklist queries [37] performed by bot-infected machines. Other researchers analyzed network traffic (netflow data) at the tier1 ISP level for cues that are characteristic for certain botnets (such as scanning or long-lived IRC connections) [24]. While the analysis of secondary effects provides interesting...
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu
ABSTRACT
Botnets, networks of malware-infected machinesthat are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study itsoperations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique botinfections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets.
Categories and SubjectDescriptors
D.4.6 [Operating Systems]: Security and Protection—Invasive software
General Terms
Security
Keywords
Botnet, Malware, Measurement, Security, Torpig
1. INTRODUCTION
Malicious code (or malware) has become one of the most pressing security problems on the Internet. In particular, this is true for bots [5], a type of malware that is written with the intent of taking over alarge number of hosts on the Internet. Once infected
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or toredistribute to lists, requires prior specific permission and/or a fee. CCS’09, November 9–13, 2009, Chicago, Illinois, USA. Copyright 2009 ACM 978-1-60558-352-5/09/11 ...$10.00.
with a bot, the victim host will join a botnet, which is a network of compromised machines that are under the control of a malicious entity, typically referred to as the botmaster. Botnets are the primary means forcyber-criminals to carry out their nefarious tasks, such as sending spam mails [36], launching denial-of-service attacks [29], or stealing personal data such as mail accounts or bank credentials [16, 39]. This reflects the shift from an environment in which malware was developed for fun, to the current situation, where malware is spread for financial profit. Given the importance of the problem, significant researcheffort has been invested to gain a better understanding of the botnet phenomenon. One approach to study botnets is to perform passive analysis of secondary effects that are caused by the activity of compromised machines. For example, researchers have collected spam mails that were likely sent by bots [47]. Through this, they were able to make indirect observations about the sizes and activitiesof different spam botnets. Similar measurements focused on DNS queries [34, 35] or DNS blacklist queries [37] performed by bot-infected machines. Other researchers analyzed network traffic (netflow data) at the tier1 ISP level for cues that are characteristic for certain botnets (such as scanning or long-lived IRC connections) [24]. While the analysis of secondary effects provides interesting...
Leer documento completo
Regístrate para leer el documento completo.